WEBVTT 00:00.000 --> 00:11.000 And I have everyone, this is a sick place, UK, CIDOCI, Introduction to a Secure 00:11.000 --> 00:13.000 Container and Time for Linux. 00:13.000 --> 00:17.000 I'm a lipolotel and I serve a developer. 00:17.000 --> 00:23.000 Before we start, here is some information about CID, you can take a photo if you want. 00:23.000 --> 00:28.000 We have a CTF game, if you want to play and check out CID, 00:28.000 --> 00:32.000 and we have extensive documentation as main pages. 00:32.000 --> 00:37.000 And if you have any questions that you can ask here, just pop up on, I'll see your metrics and find me. 00:37.000 --> 00:39.000 I'm usually there. 00:39.000 --> 00:45.000 So, yeah, and before we start, again, I should be perfectly honest. 00:45.000 --> 00:47.000 I know next to nothing about containers. 00:47.000 --> 00:53.000 And me, having written a container runtime was a bit of an accidental thing. 00:53.000 --> 00:59.000 And today, it wouldn't have been possible without the great work of the UK developers, 00:59.000 --> 01:01.000 which they told me they've been watching. 01:01.000 --> 01:05.000 So, I want to give a round of applause to the UK developers. 01:05.000 --> 01:08.000 Thank you. 01:08.000 --> 01:11.000 So, what's the UK, I got this from their manual page. 01:11.000 --> 01:14.000 It's an implementation of all-sear runtime spec in Rust. 01:14.000 --> 01:19.000 So, it's basically run-seer it in Rust, you can think of it like. 01:19.000 --> 01:20.000 And this is how it's pronounced. 01:20.000 --> 01:24.000 It's a Japanese word meaning cheerful or merry or hilarious. 01:24.000 --> 01:30.000 And they have their reasons for picking Rust here, which is Rust is one of the best languages 01:30.000 --> 01:32.000 to implement the OCI runtime spec. 01:32.000 --> 01:36.000 Many, very nice container tools are currently written and go, however, 01:36.000 --> 01:41.000 the container runtime requires use of system calls, which requires a bit of special handling 01:41.000 --> 01:42.000 that implemented and go. 01:42.000 --> 01:46.000 I'll speak a bit about this later than comparing Rust with go. 01:47.000 --> 01:54.000 So, writing container runtime in Rust is typically a bit easier than writing in Go. 01:54.000 --> 01:56.000 So, what is CIDOCI? 01:56.000 --> 02:00.000 CIDOCI was basically a friend of mine coming to me and telling me, 02:00.000 --> 02:03.000 why aren't you making CIDA container runtime? 02:03.000 --> 02:06.000 And as I said, I know nothing about containers, 02:06.000 --> 02:09.000 and I was like, is there anything that I can use for this? 02:09.000 --> 02:12.000 And then I came across UK. 02:13.000 --> 02:17.000 For a bit of introduction, CIDA is a sandbox to, 02:17.000 --> 02:22.000 with a motto to make sandboxing as easy as text searching is with crap. 02:22.000 --> 02:26.000 And for those who want to know more, watch my talk in the morning, 02:26.000 --> 02:30.000 if you haven't watched it already, or go to our manual pages and check it out. 02:30.000 --> 02:39.000 And what you'll keep people have also done very nicely is that they have actually written libraries, 02:39.000 --> 02:41.000 not just the binary. 02:41.000 --> 02:45.000 So, they provided the Rust environment very nice libraries, 02:45.000 --> 02:48.000 so everyone can go out and write their own container runtime, 02:48.000 --> 02:53.000 which is what I did basically CIDOCI was just a weekend's work to, 02:53.000 --> 02:58.000 to replace the default executor with a special executor for sit. 02:58.000 --> 03:01.000 And basically, Yoki sets up everything and in the very last stage, 03:01.000 --> 03:04.000 before he execute the binary, we set up to sit sandbox, 03:04.000 --> 03:07.000 and you execute it inside the sandbox. 03:08.000 --> 03:12.000 So, that came CIDOCI. 03:12.000 --> 03:16.000 CIDOCI is a secure container runtime for OCI compliant Linux containers. 03:16.000 --> 03:19.000 It's GPL-3 and it's forever free. 03:19.000 --> 03:21.000 And this is how you install it. 03:21.000 --> 03:24.000 You need to pass features OCI when you are building sit. 03:24.000 --> 03:26.000 It's not enabled by default. 03:26.000 --> 03:30.000 And we have Pandora for learning mode, 03:30.000 --> 03:33.000 which I will try to display in a bit. 03:33.000 --> 03:36.000 And then it's just a matter of passing runtime CIDOCI 03:36.000 --> 03:40.000 to Docker or PodMan or whichever container I'm using. 03:40.000 --> 03:43.000 It should just work as a dossier compliant. 03:43.000 --> 03:46.000 And how do we do this? 03:46.000 --> 03:50.000 This is a bit of how CIDOCI works. 03:50.000 --> 03:54.000 And basically, the idea is you have a sandbox policy, 03:54.000 --> 03:58.000 and you load this policy into sit on at startup. 03:58.000 --> 04:01.000 You can also configure the sandbox as you go, 04:01.000 --> 04:03.000 which I'll also display to you. 04:03.000 --> 04:10.000 And this page goes on to explain how this file is picked. 04:10.000 --> 04:15.000 And in the last, you will see if you have no files to configure, 04:15.000 --> 04:18.000 then sit below this built in OCI profile. 04:18.000 --> 04:21.000 And this is designed to be used with Pandora and learning mode. 04:21.000 --> 04:23.000 So, you can run your container first. 04:23.000 --> 04:26.000 Check if it's behavior, create a profile, 04:26.000 --> 04:30.000 and then force a profile, and then you sit like that. 04:31.000 --> 04:34.000 And now here, give a brief comparison with Jeevizer, 04:34.000 --> 04:39.000 because Jeevizer seems to be the most commonly used sandbox these days, 04:39.000 --> 04:42.000 and yeah. 04:42.000 --> 04:46.000 So, what's different in sit OCI than Jeevizer? 04:46.000 --> 04:48.000 It's first of all, it's Rust versus Go, 04:48.000 --> 04:51.000 which is a completely different poll subject. 04:51.000 --> 04:53.000 I will not go deep here. 04:53.000 --> 04:59.000 However, I will explain my part of it in writing a sandbox in Rust. 04:59.000 --> 05:02.000 Last, there's a idiomatic and strict error checking, 05:02.000 --> 05:05.000 which really helps when you're writing safe code. 05:05.000 --> 05:07.000 Last has no garbage collection. 05:07.000 --> 05:10.000 Again, this is a subject for a different poll. 05:10.000 --> 05:14.000 I will not discuss whether having a garbage collection is good or not. 05:14.000 --> 05:16.000 But when writing that low-level code, 05:16.000 --> 05:20.000 having less side effects in code actually allows directly 05:20.000 --> 05:22.000 for more refined perceived threat, second, 05:22.000 --> 05:24.000 PDF filters, for instance. 05:24.000 --> 05:28.000 And we have in sit, sit is a multi-traded process, 05:28.000 --> 05:30.000 and each process has a different name, 05:30.000 --> 05:32.000 and they have their different duties, 05:32.000 --> 05:37.000 sit mains, it emu, sit monitor and sit interrupt and so on. 05:37.000 --> 05:41.000 And each of these threat confines itself on its own, 05:41.000 --> 05:44.000 based on their duties and so on. 05:44.000 --> 05:46.000 And what else is different? 05:46.000 --> 05:49.000 We have a position in dependent executables. 05:49.000 --> 05:51.000 You cannot, as far as I know, 05:51.000 --> 05:54.000 to this day, build, grow binary's position independently. 05:55.000 --> 05:58.000 So typically, a compromised device that is far less severe 05:58.000 --> 06:00.000 than a compromised sit. 06:00.000 --> 06:03.000 And moreover, sit also enforces position 06:03.000 --> 06:05.000 in dependent executables. 06:05.000 --> 06:09.000 So you cannot execute non-py binary's under sit, 06:09.000 --> 06:13.000 unless you actually set it start up to allow them. 06:13.000 --> 06:16.000 Then sit set 80 secure, 06:16.000 --> 06:20.000 the auxiliary vector, like a parmordas, 06:21.000 --> 06:23.000 which means you don't get to load, 06:23.000 --> 06:28.000 or load, or elderly luxury pet or other shenanigans. 06:28.000 --> 06:30.000 And we have set big art. 06:30.000 --> 06:35.000 Again, I like to do this a bit in my last talk. 06:35.000 --> 06:39.000 And we have mitigations for the secret and oriented programming, 06:39.000 --> 06:43.000 and the return oriented programming, the device that doesn't have. 06:43.000 --> 06:46.000 And you can go ahead and read about this in sit, 06:46.000 --> 06:49.000 seven manual page, it's all documented nicely. 06:49.000 --> 06:52.000 And sit also, I is not as simply faster than G-wiseer. 06:52.000 --> 06:54.000 I'm not going to give any numbers, 06:54.000 --> 06:57.000 because I don't really have clean benchmarks honestly, 06:57.000 --> 07:01.000 but typically sit also, 07:01.000 --> 07:04.000 I does less isolation, so it has less overhead. 07:04.000 --> 07:06.000 I'm not claiming they are doing the same thing, 07:06.000 --> 07:08.000 and I'm doing it much faster. 07:08.000 --> 07:11.000 Now, G-wiseer has their own memory management, 07:11.000 --> 07:13.000 their own network stack and so on, 07:13.000 --> 07:15.000 and that's why they have more overhead, 07:15.000 --> 07:18.000 and yeah. 07:18.000 --> 07:21.000 For those who are interested, they can go to the Git repo, 07:21.000 --> 07:23.000 and check out the benchmarks. 07:23.000 --> 07:25.000 Typically, the numbers are in, like, 07:25.000 --> 07:28.000 four, four sit, it's 10 to 15 percent. 07:28.000 --> 07:30.000 I would have in my measurements and for device, 07:30.000 --> 07:33.000 it varies between 40 to 70 percent. 07:33.000 --> 07:36.000 And the device has layered security, 07:36.000 --> 07:38.000 which is really impressive, 07:38.000 --> 07:40.000 and we have something similar, 07:40.000 --> 07:42.000 and I want to give an example here, 07:42.000 --> 07:45.000 which we had in effect in real time, 07:45.000 --> 07:47.000 very recently. 07:47.000 --> 07:52.000 Sit with sit, you can also use landlock as an additional, 07:52.000 --> 07:55.000 as an additional layer, 07:55.000 --> 07:59.000 and landlock has recently had a break. 07:59.000 --> 08:03.000 People who are interested can go to the CD and look for it. 08:03.000 --> 08:05.000 The break was essentially, 08:05.000 --> 08:08.000 you would execute a malicious case CTL call, 08:08.000 --> 08:11.000 and then the landlock was broken and you could open any path. 08:11.000 --> 08:15.000 But under said, because the malicious case CTL call, 08:15.000 --> 08:17.000 and the open happens in different processes, 08:17.000 --> 08:21.000 sit, email processes are responsible 08:21.000 --> 08:23.000 for actually running the system calls. 08:23.000 --> 08:26.000 Sit does not continue the system call in the sandbox process, 08:26.000 --> 08:27.000 after the access check, 08:27.000 --> 08:29.000 and such is not vulnerable to time of check, 08:29.000 --> 08:30.000 to time of use. 08:30.000 --> 08:32.000 And if you need more fast, 08:32.000 --> 08:34.000 go fast and roll my loops. 08:34.000 --> 08:36.000 For every mitigation in sit, 08:36.000 --> 08:38.000 we have an allow one safe close 08:39.000 --> 08:42.000 that you can use to disable that mitigation. 08:42.000 --> 08:44.000 There is like maybe 30 of them right now, 08:44.000 --> 08:48.000 and the three most important that come to mind 08:48.000 --> 08:51.000 when you want performance at this. 08:51.000 --> 08:56.000 My default sit will run processes with low priority, 08:56.000 --> 08:58.000 and we use P trace, 08:58.000 --> 09:01.000 and you can disable all of these if you want. 09:01.000 --> 09:03.000 As in, see this is a general purpose sandbox. 09:03.000 --> 09:06.000 There is no way to write a one per one, 09:06.000 --> 09:08.000 one size CTL type of sandbox. 09:08.000 --> 09:10.000 It's typically impossible, 09:10.000 --> 09:12.000 but what we do is for every mitigation, 09:12.000 --> 09:14.000 we have an allow one safe close, 09:14.000 --> 09:18.000 so you can disable it and use it for your own case. 09:18.000 --> 09:23.000 And yes, now I will try to display it a little bit. 09:23.000 --> 09:25.000 I don't have a really demo yet, 09:25.000 --> 09:28.000 but what I have here is, 09:28.000 --> 09:30.000 let me quickly show you. 09:30.000 --> 09:33.000 Can everyone in the back seat, 09:33.000 --> 09:34.000 what's written? 09:34.000 --> 09:35.000 Yes, that's great. 09:35.000 --> 09:40.000 Okay, so this should be a little container file here. 09:40.000 --> 09:41.000 Yeah. 09:41.000 --> 09:46.000 So this is how you configure all CI for podmen, 09:46.000 --> 09:49.000 and I'm going to run a rootless podmen here now, 09:49.000 --> 09:55.000 with run hopefully, yes, this one. 09:55.000 --> 09:59.000 So as usual, there is nothing special, 09:59.000 --> 10:03.000 we are running in the sit and the way you learn this is, 10:03.000 --> 10:05.000 through the mask. 10:05.000 --> 10:08.000 So you get some fancy pink fluid lyrics. 10:08.000 --> 10:10.000 And then, right now, 10:10.000 --> 10:15.000 the sandbox is running in warning mode. 10:15.000 --> 10:18.000 So every warning is put into the mask. 10:18.000 --> 10:22.000 You can also make it right to standard error, 10:22.000 --> 10:23.000 or do something else, 10:23.000 --> 10:27.000 and just, it's basically a lines of JSON. 10:27.000 --> 10:30.000 You can fit them up to Pandora after whatever you want. 10:30.000 --> 10:32.000 And here I will just basically show you, 10:32.000 --> 10:34.000 just download a page, 10:34.000 --> 10:36.000 and then, 10:36.000 --> 10:38.000 and then, actually, 10:38.000 --> 10:39.000 hang on. 10:39.000 --> 10:40.000 Yes. 10:40.000 --> 10:43.000 This is going to be a little tricky, 10:43.000 --> 10:44.000 but let me see. 10:44.000 --> 10:45.000 I want to, 10:45.000 --> 10:46.000 right? 10:46.000 --> 10:48.000 Yes. 10:48.000 --> 10:54.000 I'm going to copy the Pandora static binary into it. 10:54.000 --> 10:57.000 This will be much more easier when distributions have 10:57.000 --> 10:59.000 upon Pandora and sit package, of course, 10:59.000 --> 11:01.000 but just for now. 11:01.000 --> 11:03.000 We have Pandora in the container now, 11:03.000 --> 11:08.000 and I will tell Pandora to just go through the system, 11:08.000 --> 11:10.000 and create me a profile. 11:10.000 --> 11:11.000 This takes a bit, 11:11.000 --> 11:15.000 because it is going to verify the check sums of the binaries, 11:15.000 --> 11:18.000 but not too much, hopefully. 11:18.000 --> 11:20.000 Wish me luck. 11:20.000 --> 11:22.000 Come on. 11:22.000 --> 11:25.000 Okay, so the idea is, 11:26.000 --> 11:28.000 we have all the sandbox blocks, 11:28.000 --> 11:31.000 and then we take them and create them. 11:31.000 --> 11:34.000 Okay, let's make this actually. 11:34.000 --> 11:37.000 And the faster. 11:37.000 --> 11:39.000 All right, okay. 11:39.000 --> 11:40.000 Anyhow. 11:40.000 --> 11:42.000 So, we generate the profile. 11:42.000 --> 11:44.000 I will quickly show you the profile. 11:44.000 --> 11:48.000 So, these are what we have done so far. 11:48.000 --> 11:50.000 We have downloaded the web pages. 11:50.000 --> 11:51.000 You can see these are there. 11:51.000 --> 11:54.000 We did some terminal I obtained and so on. 11:54.000 --> 11:56.000 Everything is in here. 11:56.000 --> 12:01.000 And now you can actually load this in runtime dynamically, 12:01.000 --> 12:07.000 into sit with some fancy command that we have here. 12:07.000 --> 12:10.000 Dev sit is the virtual path that you use. 12:10.000 --> 12:13.000 Load is used to load a file descriptor. 12:13.000 --> 12:14.000 It can be any descriptor. 12:14.000 --> 12:16.000 It doesn't matter. 12:16.000 --> 12:18.000 And before we do this, 12:18.000 --> 12:21.000 let me quickly show you the state of the sandbox. 12:21.000 --> 12:25.000 Again, as you can see, right now. 12:25.000 --> 12:27.000 The default action is warm. 12:27.000 --> 12:30.000 So it's going to just warm and do nothing. 12:30.000 --> 12:34.000 So now we are going to load. 12:34.000 --> 12:37.000 Let's go. 12:37.000 --> 12:39.000 Yes. 12:39.000 --> 12:42.000 As you see, we have loaded this file into sit. 12:42.000 --> 12:44.000 And now if I try again, 12:44.000 --> 12:48.000 you'll see the rules are actually loaded into sit. 12:48.000 --> 12:52.000 And this is still not enforced to actually enforce. 12:52.000 --> 12:57.000 You need to do a final bit to load and force profile. 12:57.000 --> 13:04.000 And now if I try to download the same page, 13:04.000 --> 13:06.000 it's going to work. 13:06.000 --> 13:08.000 But if I try to download another web page, 13:08.000 --> 13:10.000 it's going to deny me. 13:10.000 --> 13:12.000 And we can see this. 13:12.000 --> 13:19.000 My other sandbox locks, as you can see. 13:19.000 --> 13:22.000 And the sit gives you tips. 13:22.000 --> 13:26.000 So let's go ahead and try to download leeches. 13:26.000 --> 13:31.000 By allowing it from my one, which takes a bit. 13:31.000 --> 13:36.000 Again, here I wanted to show how to configure the sandbox dynamically. 13:36.000 --> 13:39.000 You can do this all statically at startup as well. 13:39.000 --> 13:43.000 That's try again. OK, this is another one. 13:43.000 --> 13:45.000 So let's allow this. 13:45.000 --> 13:48.000 It will take a bit to end of all of them. 13:48.000 --> 13:52.000 So basically, you can do this one by one. 13:52.000 --> 13:56.000 You can load a file descriptor as we did before. 13:56.000 --> 13:58.000 Let's get now. 13:58.000 --> 14:01.000 OK, we are coming close. 14:01.000 --> 14:06.000 So now we are going to allow this. 14:06.000 --> 14:14.000 And also four, four, three. 14:14.000 --> 14:17.000 And we should be good to go. 14:17.000 --> 14:19.000 See, it downloaded. 14:19.000 --> 14:24.000 As you can see, you can configure this sandbox from it in sandbox as well. 14:24.000 --> 14:31.000 So this way, you can make a step by step, open BST pledge like the confinement as well. 14:31.000 --> 14:35.000 And this is all I have. 14:35.000 --> 14:38.000 See, if you have any questions, I can't take now. 14:49.000 --> 14:51.000 No questions? 14:51.000 --> 14:53.000 Yes, please. 14:53.000 --> 14:58.000 How complete is the implementation comprehensive? 14:58.000 --> 15:01.000 How complete is the implementation complete? 15:01.000 --> 15:03.000 Where to device the question? 15:03.000 --> 15:08.000 First of all, sit has been used for 16 years as the default sandbox of Exarbo. 15:08.000 --> 15:11.000 An Exarbo has packaged testing by default. 15:11.000 --> 15:13.000 So we run all tests under sit box. 15:13.000 --> 15:19.000 Any test that passes without the sit box, but not without sit is considered a sandbox box. 15:19.000 --> 15:22.000 But, and over the years, we have fixed a lot of things. 15:22.000 --> 15:26.000 Complete is a big, big work. 15:26.000 --> 15:31.000 You can say sit stable, you can say sit gives you a stable Linux API. 15:31.000 --> 15:32.000 So, yeah. 15:32.000 --> 15:37.000 And this day, you can use it as a general purpose sandbox from sandboxing and genics, 15:37.000 --> 15:43.000 to sandboxing files or any similar workload. 15:43.000 --> 15:44.000 Yeah. 15:44.000 --> 15:49.000 Any other questions, please? 15:49.000 --> 15:50.000 Okay. 15:50.000 --> 15:51.000 Just pause map, Mama-Ils had an interestingCI. 15:51.000 --> 15:52.000 OK. 15:52.000 --> 15:54.000 Right. 15:54.000 --> 15:55.000 There's no room. 15:59.000 --> 16:02.000 Hello. 16:02.000 --> 16:05.000 Ready? 16:05.000 --> 16:06.000 Yes, thank you. 16:06.000 --> 16:07.000 Thank you. 16:07.000 --> 16:11.000 Bye. 16:11.000 --> 16:12.000 Next? 16:12.000 --> 16:14.000 To update on tour. 16:14.000 --> 16:16.000 I want to ask that question. 16:16.000 --> 16:17.000 Please. 16:17.000 --> 16:21.000 Yes, please, please wait to mic. 16:21.000 --> 16:50.000 So I have question, because right now, of course, it's going to be questioned about AI. 16:50.000 --> 16:58.000 Right now, we have some problems like trying to sandbox machine learning workloads. 16:58.000 --> 17:06.000 And some teams, some organizations are doing something like running clusters with full access to the internet because we're not. 17:06.000 --> 17:10.000 Of course, you can create a pop proxy and limitations but still. 17:10.000 --> 17:14.000 There are options that you try to run the images of the models. 17:14.000 --> 17:26.000 How can we use this setup to mitigate this kind of attacks, especially when some models try to load the glitches code from the internet? 17:26.000 --> 17:27.000 Is it possible? 17:27.000 --> 17:32.000 Yes, it's possible. First of all, it is possible to sandbox AI workloads. 17:32.000 --> 17:37.000 With sit, we have what's called Iochial sandbox and where you can sandbox rather than paths. 17:37.000 --> 17:45.000 You actually sandbox Iochial requests. And maybe I can quickly show you here in the, in the, 17:45.000 --> 17:49.000 Where is it? I lost it nice. 17:49.000 --> 17:51.000 Okay, anyway, it's an unfortunate content. 17:51.000 --> 17:55.000 But I was going to show you the Iochial requests. 17:55.000 --> 18:03.000 You can even in learning mode, it will learn which Iochial requests are done to the whatever device, the AI or AI, whatever. 18:03.000 --> 18:07.000 And then it will give you a list of all these requests. 18:07.000 --> 18:11.000 And then with that, you can just run your AI workload under sit. 18:11.000 --> 18:15.000 And then what you are limiting is basically up to you, are you allowing it network? 18:15.000 --> 18:20.000 Are you want to run it in a network namespace? Again, sit is a general sandbox. 18:20.000 --> 18:25.000 You are supposed to build to actual sandbox with your configuration, but this is very much possible. 18:25.000 --> 18:31.000 You can't tell it to go to some IP addresses, but not others and so on. This is possible, yes. 18:31.000 --> 18:36.000 Thank you for the question. 18:36.000 --> 18:38.000 Yes, please. 18:38.000 --> 18:42.000 What about the workloads on the GPU? How do you handle this? 18:42.000 --> 18:44.000 For example, idea. 18:44.000 --> 18:47.000 It's basically the same thing. 18:47.000 --> 18:50.000 GPU access is typically done through Iochials. 18:50.000 --> 18:57.000 And what device or does is actually device or keeps a list of and media Iochials by version, right? 18:57.000 --> 19:01.000 So in this way, it's easier for you to use device or sit doesn't give you that. 19:01.000 --> 19:03.000 But sit gives you a way to do this. 19:03.000 --> 19:07.000 So you can run it under learning more than quickly get the request numbers. 19:07.000 --> 19:12.000 These are basically random looking numbers that you have to allow for the GPU access. 19:12.000 --> 19:13.000 And that's how it works. 19:13.000 --> 19:18.000 Yeah, yeah, sure. 19:18.000 --> 19:21.000 Any other questions? 19:21.000 --> 19:25.000 Looking around? 19:33.000 --> 19:36.000 All right, thank you everyone for watching.